"Relay Access Denied" or "Hop Count Exceeded" non-delivery report (NDR) error message when users send mail to Office 365 users

Article translations Article translations
Article ID: 2603474 - View products that this article applies to.
Expand all | Collapse all

Symptoms

When an external sender tries to send an email message to a Microsoft Office 365 user, the external user receives a non-delivery report (NDR) that resembles the following:
<Domain_URL> #5.7.1 smtp;554 5.71 <client_email_address>: Relay access denied

When an Office 365 user tries to send an email message, the Office 365 user receives an NDR that resembles the following:
<Domain_URL> <# <Domain_URL> #5.4.6 smtp;554 5.4.6 Hop count exceeded - possible mail loop> #SMTP#


Cause

This issue may occur if one of the following conditions is true:
  • The domain is not added as an accepted domain (that is, the domain is not verified) in Office 365.
  • Domain propagation to the Microsoft Forefront Online Protection for Exchange (FOPE) Edge Transport servers requires up to 45 minutes after an Office 365-accepted domain is added, moved, or deleted in FOPE. Or, the domain is propagated, but it is configured as outbound-only.
  • In FOPE, the Exchange on-premises organization is not defined as being enabled to relay email messages.
  • Mail delivery settings in the FOPE Administration Center are not set correctly for the expected email flow.


Resolution

To resolve this issue, use one of the methods in the following table, as appropriate for your situation.

Collapse this tableExpand this table
CauseResolution
The domain is not added as an accepted domain (that is, the domain is not verified) in Office 365.Make sure that the domain has a status of "Verified" in the Office 365 domains section.

For more information about how to add and verify domains in Office 365, go to the following Microsoft website:
Add your domain to Office 365
For more information about how to troubleshoot adding and verifying domains in Office 365, click the following article number to view the article in the Microsoft Knowledge Base:
2515404 Troubleshoot domain verification issues in Office 365
Domain propagation to the FOPE Edge Transport servers requires up to 45 minutes after an Office 365 accepted domain is added, moved, or deleted in FOPE. Or, the domain is propagated but is configured as outbound-only.Populate your domain in FOPE. To do this, use the following Windows PowerShell commands to force FOPE to recognize your Office 365 domain. This creates the necessary records.
Set-AcceptedDomain <domain> -OutboundOnly $true
Set-AcceptedDomain <domain> -OutboundOnly $false

Note The placeholder <domain> represents the vanity domain that you want to use.

It will take 30 to 45 minutes for propagation to all edge servers. During this time, you may receive an NDR message that states that the hop count is exceeded.
Hybrid coexistence scenarios only: In FOPE, the on-premises Exchange organization is not defined as being enabled to relay email messages.In the FOPE Administration Center, add the IP address of the on-premises server or servers to the IP addresses list on the outgoing (also known as "outbound") mail server. To do this, follow these steps:
  1. In the FOPE Administration Center, click Administration, click Domains, and then click the domain that is experiencing the issue.
  2. Under Outbound Mail Server IP Addresses, click Add, and then enter the IP address of the on-premises server or servers.
  3. Click Save.
It will take 30 to 45 minutes for propagation to all edge servers. During this time, you may receive an NDR message that states that the hop count was exceeded.
Mail delivery settings in the FOPE Administration Center are not set correctly for the expected email flow.If FOPE delivers mail directly to Exchange Online for the domain, make sure that the FOPE admin mail delivery settings are or the mail server address is set to Using inbound multi-SMTP profile: inboundsmtpprofile. If FOPE delivers mail to the on-premises Exchange organization, verify that the on-premises IP address is set as the address for delivery.


For more information about how to use the Set-AcceptedDomain cmdlet, go to the following Microsoft TechNet website:
Set-AcceptedDomain

Properties

Article ID: 2603474 - Last Review: October 10, 2013 - Revision: 12.0
Applies to
  • Microsoft Forefront Online Protection for Exchange
  • Microsoft Office 365 for small businesses  (pre-upgrade)
  • Microsoft Office 365 for education  (pre-upgrade)
  • Microsoft Office 365 for enterprises (pre-upgrade)
Keywords: 
o365 o365e o365062011 o365p o365a o365m KB2603474

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com